Surge in Grabbing Unauthorized Access

Authorization, an access control system, is all about administering and providing sensitive system access to a process or an application or a class of users based on their privilege level. Privacy and security concerns arise when system resources are accessed by an unauthorized process, application, or user.

Application and system developers always strive to incorporate secure authorization systems in their software. On the other hand, hackers come forth with new exploit techniques to elevate the access privilege associated with a specific process, system, or user. Many of the attacks start with an entry into the targeted systems with limited privileges and then an attempt to elevate privileges by exploiting a vulnerability in the OS itself or in third-party installations.

We conducted a short piece of research work on Elevation of Privilege (EoP) vulnerabilities using publicly available information on vulnerabilities discovered in operating systems, desktop applications and browsers. Interestingly the data indicates a significant rise in EoP vulnerabilities over the past two–and-half years.

From our research set on Microsoft Windows operating system vulnerabilities found over the time period mentioned earlier, we found that out of 700 vulnerabilities, 115 vulnerabilities were Privilege Escalation vulnerabilities, i.e. approximately 16%. It is clear from the research data set that attackers or malware writers are focusing more on EoP vulnerabilities to carry out their malicious attack as silently as possible.

Standalone exploitation of EoP vulnerability might not be sufficient for the attacker to achieve the required destructive behavior thus forcing the attacker to look for yet more vulnerability in the system to exploit.

The following is a list of commonly exploited Windows components:

The Group Policy Service
Windows kernel-mode driver (Win32k.sys)
Cryptography Next Generation kernel-mode driver (cng.sys)
WebDAV kernel-mode driver (mrxdav.sys)
TS WebProxy Windows component
Windows User Profile Service (ProfSvc)
Microsoft IME
TypeFilterLevel Checks
Windows audio service component
Windows TCP/IP stack (tcpip.sys, tcpip6.sys)
Kerberos KDC
FASTFAT system driver, FAT32 disk partitions
Message Queuing service
.NET Framework
Windows Task Scheduler
Windows Installer service
DirectShow
Ancillary Function Driver
On-Screen Keyboard
ShellExecute API
TypeFilterLevel checks
Group Policy preferences
NDProxy component
Local Remote Procedure Call
Windows audio port-class driver (portcls.sys)
Hyper-V
USB drivers
Windows App Container
DirectX graphics kernel subsystem (dxgkrnl.sys)
Service Control Manager (SCM)
NT Virtual DOS Machine (Ntvdm.exe)
asynchronous RPC requests handling (Rpcss.dll)
TrueType font files handling
Windows Print Spooler (Win32spl.dl)
NTFS kernel-mode driver (ntfs.sys)
Windows CSRSS (cmd.exe)
Remote Desktop ActiveX control (mstscax.dll)
Windows USB drivers

We see that the attackers often aim at a relatively highly destructive attack by exploiting privilege escalation and code execution vulnerabilities together.

Techniques employed by malware writer constantly evolve to achieve the desired privilege escalation undetected. There are many privilege elevation techniques publicly available online, such as:

  1. METHOD OF PROVIDING A COMPUTER USER WITH HIGH LEVEL PRIVILEGES, PATENT 7,945,947
  2. Exploiting The Known Failure Mechanism in DDR3 Memory referred to as Row Hammer to gain kernel privilege with the only “patch” being a replacement of the DRAM!

Sometimes it is simply not possible to patch a vulnerability.

Elevation of Privilege is not limited only to operating systems but is also witnessed in desktop applications, browsers, web applications and even in hardware. With the increasing popularity of Internet of Things across devices everywhere, the effect of exploiting an  Elevation of Privilege vulnerability in just one of the links in Internet of Things could give the attacker complete control of the whole system.

Image courtesy of: tompattersontalks.blogspot.in

Priyal Viroja, Vulnerability Researcher, K7TCL
Re-published by K7 Computing Ireland

K7 Computing webistes:

K7 Computing Ireland: www.k7computing.ie, K7 Computing UK: www.k7computing.co.uk

Exorcising CTB Locker from your Computer: What you Need to Know

Ransomware, a type of malware which holds your files to ransom by encrypting them and then demanding a ransom for their “release”, i.e. by decryption, is nothing new. Cyber criminals make a lot of money by extorting funds from victims all over the world.

CTB Locker Encrypted File message

CTB Locker Encrypted Files message

CTB Locker Encrypted File

CTB Locker Encrypted File

CTB_Locker_TS_Detection1

CTB Locker Total Security Detection

CTB_Locker_Main_Screen_DE CTB_Locker_Main_Screen_IT CTB_Locker_Main_Screen_NE CTB_Locker_Req_Priv_Key CTB_Locker_Test_Decrypt_Files CTB_Locker_Test_Decryption

The latest family of widely distributed ransomware is called CTB Locker. In this blog we have decided to provide information about CTB Locker in the form of an FAQ so that our customers and the general public globally may be well-informed about the dangers of this malware family, learn how to avoid it, and be reassured about our robust response to it.

FAQ

  • How do you prevent your computer from becoming infected by CTB Locker?

Let’s begin with this question as it is the most important one to keep your computer safe. Prevention is always better than cure.

The initial spreading vector for CTB Locker is a spam email with enticing content which uses social engineering techniques to convince the potential victim to unzip a ZIP archive attachment (extension ‘.zip’) and execute its embedded file.

 

This embedded file, which is currently around 40KB in size, may have misleading extensions such as ‘.scr’ in order to masquerade as a screensaver application. This file is the downloader component for CTB Locker’s main payload, which then does the actual file encryption and makes ransom demands. We urge you to be vigilant against such spam emails as it is very first line of defence against CTB Locker as well as a host of other malware families which also use the same old time-tested technique to spread.

If an email comes from an unknown or unexpected source containing an attachment or a website link requesting you to open the attachment or click on the link, please exercise extreme caution. We would suggest simply deleting such emails if they are not already quarantined by your spam filter.

The spam emails tend to be targeted at English-speaking countries and at least 3 European countries given that the malware payload provides its ransom messages in German, Dutch and Italian.

CTB_Locker_Main_Screen_NE

CTB Locker Main Streen Dutch

CTB_Locker_Main_Screen_DE

CTB Locker Main Streen Deutch

 

CTB_Locker_Main_Screen_IT

CTB Locker Main Streen Italian

 

This ransomware is not targeted at Indian users per se but given the ubiquitous nature of spam there will be “collateral damage” resulting in not just Indian victims but also many other hapless victims in other non-target countries.

  • What should you do when you discover your computer is infected with CTB Locker?

If you have seen messages demanding a ransom as shown above, it is likely that many, if not all, of your personal files such as Microsoft Office documents, PDF, TXT, ZIP and even ‘C’ source code files will be in an encrypted state, i.e. appear to contain random binary junk. Files encrypted by CTB Locker will have filenames such as yourfile.ext.<7 random lowercase letters>, e.g. 253667.PDF.iryrzpi

CTB Locker executable files

CTB Locker executable files

 

 

Executable files, e.g. EXE, DLL, OCX, etc, and files with extensions unknown to the malware will not be touched.

First and foremost, we would request that you do not attempt to pay the ransom to get your files back. Even if the cyber criminals do actually decrypt your files, the money they get from you will only serve to encourage them to continue their nefarious practices, investing R&D in enhancing their capabilities and global reach. Cyber criminals must be stripped of their Return on Investment incentive to create malware.

Once you have decided not to pay the ransom we would recommend removing the malware immediately. This can be done most easily by:

  1. updating your product
  2. rebooting into Safemode
  3. performing an on-demand scan on your computer
  4. removing the detected components. Note, the main CTB Locker payload is detected as ‘Trojan ( 0049d83b1 )’ and its downloader component is detected as ‘Trojan-Downloader ( 00499db21 )’

 

CTB_Locker_TS_Detection1

CTB Locker detected by K7 Total Security

 

  • Is it possible to decrypt files encrypted by CTB Locker?

The malware itself demonstrates that files can be decrypted by randomly choosing 5 samples to decrypt.

CTB_Locker_Test_Decrypt_Files

 

However, the malware uses a high-grade encryption algorithm with a key which is unique to your computer, rendering it effectively impossible to force a decryption en masse.

 

CTB_Locker_Req_Priv_Key

  • How to restore files encrypted by CTB Locker?

It may not be possible to restore all files encrypted by CTB Locker. However, if your Windows operating system supports System Restore it is possible to recover the contents of many of your folders to a recent restore point before the infection took place.

The most reliable solution, though, is to restore your critical files from regular backups. If you don’t backup your important files regularly then we urge you to start doing so ASAP. Apart from a CTB Locker infection, there are numerous other factors which could render your files irrecoverable in the future, including a hard disk failure. Note, it may also be possible to use deep forensics tools to recover some critical files if they still exist on sectors on the hard disk, but this is not an alternative to regular backups.

  • Will paying the ransom actually decrypt your files?

We refuse to pay any ransom so we are unable to confirm whether payment will actually result in your files being released. Once again, we would request you to not attempt to pay the ransom for the reasons mentioned earlier.

  • Why did K7 not detect and remove CTB Locker?

At K7 Threat Control Lab we are constantly monitoring and acting against CTB Locker infections, including coding robust generic detection for all components of CTB Locker. However, the cyber criminals behind the CTB Locker family have been investing considerable resources in morphing, i.e. changing the appearance of, all their components and spam emails such that they may sometimes be able to get past security scanners, not just K7’s, albeit for a very short period of time. We at K7, and our colleagues at other security companies, are working hard to stay ahead of CTB Locker in order to protect all our customers across the planet.

Samir Mody
Senior Manager, K7TCL

Re-published by K7 Computing Ireland and K7 Computing UK

Free 30 day trial for K7 antivirus security software available at: K7 Computing Ireland or K7 Computing UK

February New K7 antivirus products build release

 

New K7 Enterprise Security build 2.5.0.35

K7 Computing is happy to announce new build for its endpoint security product.

K7 Enterprise Security

Main new software improvements includes:

  • Improved Rip and Replace feature for installation over previous security software product.
  • Filter option introduced (with the status of Pending / Dispatched/ Completed)under Task Details to know the task completion on each endpoint.
  • Task status of a client can be viewed by selecting the relevant computer under Clients list.
  • “All Groups” option has been introduced under Group selection UI when you create any new Task. Easily allowing to replicate it to the whole network.

K7 Enterprise Security screenshot 1

K7 Enterprise Security current installations will receive these updates within upcoming days automatically.

Trial licences for your sites and new customers are available by request. Please contact sales@k7computing.co.uk


New K7 Home antivirus security products 14.2.0.249

K7 Computing has released improved versions of its home / small office security products:
K7 Antivirus, K7 Total Security and K7 Ultimate Security
K7 Home security antivirus products
Some of the newly updated features:

Permanent Data Deletion

  • Erase sensitive data permanently, which you don’t want others to discover.

Secure Transaction

  • Online monetary transactions protection with anti-screen capture and anti-key logging function.

USB Protection

  • Auto scans USB media for concealed threats and vaccinates USB devices from getting infected.

All versions are available for 30 days free trial at: K7 UK Website or K7 Ireland Website.

Current installations are updated automatically with regular updates.

Latest VB-100 award for K7 Total Security

Latest K7 Award by VB-100

VB100

VB100

K7 products have appeared in most of our desktop tests over the last few years, with a decent number of passes. The current version installs in decent time with a reboot required, and presents a tough-looking GUI with a military theme. The layout is simple and clear with good status information and decent controls. Stability was flawless throughout, with no issues noted.

Scanning speeds were not bad, and overheads a little high initially but soon became very light. RAM use was around average, CPU use rather low, and our set of activities ran through very quickly.

Detection was pretty good in the reactive sets, dropping away a little into the proactive weeks, but there were no issues in the WildList or clean sets and a VB100 award is earned by K7.

VB-100 August 2014

Editor of World-Renowned Security Magazine Appreciates K7 Speakers

November 7th, 2014

In a nice gesture, the editor of the acclaimed Virus Bulletin magazine has blogged about the presentation of our reserve speaker duo who were meant to present a paper and a short demo, in the event of an absent speaker at the 2014 Virus Bulletin International Conference held recently in Seattle, USA.

VB2014 has already been discussed, highlighting the presentation by K7’s Gregory Panakkal. Nevertheless, this post is dedicated to the reserve speakers from K7 Threat Control Lab, Samir Mody, Senior Manager and V.Dhanalakshmi, Senior Threat Researcher.

Their paper, “Early launch Android malware: your phone is 0wned”, demonstrates the difficulties in
removing an active Android ransomware, “’Koler/Simple Locker”, infection that prevents a user from
uninstalling it. It also proposes a new framework which Google could induct to help mobile security vendors defeat Android malware strategies.

View the full presentation and demo at K7 YouTube channel.

Archana Sangili
Content Writer

K7 Computing Ireland: www.k7computing.ie

K7 Computing UK: www.k7computing.co.uk

K7 Enterprise Security and Enterprise Antivirus new version release

K7 Computing is happy to announce latest version 2.5 of K7 Enterprise Security.

New upgrades and improvements in compatibility with Windows Server operating systems K7 Enterprise Security and K7 Enterprise Antivirus are all types of Microsoft Server OS using now only one installation file to deploy K7 security console and endpoints.

What’s new in K7 Enterprise Security (2.5)

  • Database storage size has been increased to 10 GB
  • ‘Allow’ option is introduced for blocked applications under Application Control
  • New Desktop icon introduced for Admin Console
  • Short cut icon removed for endpoints, but sys-tray icon and start menu icon will remain
  • Detection and Removal added for more 3rd Party AV products

What’s new in K7 Enterprise Security (2.4)

  • Activity Log – The recent update and scan status of a computer can be viewed from Clients » Computer Details.
  • Notification (email & Dashboard) for schedule scan interruption.
  • Password protection for device control
  • Enhancements on Task Details – Scan Summary and Update Summary added.
  • Purging introduced to remove Not Reported computers, older Applications & Tasks automatically.
  • Subnet search on Clients filter.
  • Subscription expiry notification through email and Dashboard (Paid License: 30 days, 15 days & 3 days interval, 30 days Trial License: 15 days, 10 days & 3 days).
  • Multiple selections now allowed to remove the Quarantined files, if the files are not required.
  • Client’s computers list can be exported as a Report.

K7 Enterprise Security and K7 Enterprise Antivirus are available for trial at:

K7 Computing Ireland or K7 Computing UK

_JZ_

K7 Computing IE

K7 released new version 14.2 for home edition antivirus products

K7 Computing has released new version 14.2 of it’s home edition antivirus products K7 Antivirus Plus, K7 Total Security and K7 Ultimate Security.

New improvement includes faster scanning speed and easier integration with new Windows 8.1 operating system. This was a challenging task for K7 developers, due to the remarkable K7 speeds in previous versions.

Products also received improved scan of other AV products prior installation with option to automatically uninstall them. This prevents possible conflicts and system performance and instability problems.

New version has been also tested by Softpedia with very good results: Full article in Softpedia

For free trial visit:

United Kingdom: Free 30 day trial

Ireland: Free 30 day trial

K7 Ultimate Security 2014 options

-JZ-

K7 Computing Ireland and UK August 2014

K7 Supports Windows 8.1

K7 Computing released the latest build for K7 antivirus home edition products with enhanced features and support for the latest Windows 8.1 operating system.

Release Notes:

1. Microsoft Windows 8.1 upgrade support added

2. Parental Control/Web filtering support added for Internet Explorer 11 and the latest Google Chrome versions

3. New Scan Engine included as a part of regular speed performance and detection quality enhancements

4. Safe search support added for Internet Explorer 10 and Internet Explorer 11

 

New build version of K7 Ultimate Security, K7 Total Security and K7 Antivirus plus version 13.1.0205 onwards is delivered to K7 users via regular update.

For a free 30 day trial visit:

United Kingdom: http://www.k7computing.co.uk/free_trial_download.php

Ireland: http://www.k7computing.ie/free_trial_download.php

K7 Total Security secured yet another VB-100 award

K7 Total Security 13.1 product has earned the latest VB100 award for the Windows XP SP3 platform.

VB-100 awardWe are pleased to say that we have passed yet another VB-100 award. Constant research and development for K7 antivirus products are gaining on recognition among the professionals and end -users.

Latest K7 Total Security in a version 13.1 reached higher positioning among the previous testing results.

The test result shows that:

  • K7 have made big improvements in proactive and reactive detection rates for antivirus protection.
  • The Virus Bulletin organisation has praised the new look and feel of K7 Total Security.
  • K7 Total Security is rated as ‘Solid’ which is the best rating for product stability.

Full test results: https://www.virusbtn.com/vb100/archive/test?recent=1